Ask them if they'd also be fine with hackers potentially leaking
all their account data to the public.
There are enough real-life examples, like the Equifax debacle or
that "dating" site where multiple people committed suicide when
their online identities got leaked.
The only way to guarantee personal data cannot be abused by
anyone, authority or not, is when those data don't exist at all.
We know that governments are too incompetent to follow best
practices in security, we know that this kind of power gets
abused with barely any limits because there's no
accountability(e.g. when a prominent German singer did a concert
police officers made 83 lookups of her data in the police
database just in that single night. Nothing ever came out of
it even though the police had to admit those numbers aren't
possible without abuse).
I suspect that to a great degree, people who say they have nothing to hid do have something to hide, but are trying to bluster their way out of closer scrutiny. The Ashley Madison thing is an excellent example, if anyone would commit suicide over having details of that nature leaked they certainly wouldn't admit to having anything of the sort on their conscience when discussing the matter with friends or family.
It's a bit of a tricky situation because as has been noted upthread, the best practical way to maintain privacy is to simulate the ambient data noise. So in a sense, loudly proclaiming one has nothing to hide is the best strategy for keeping one's own privacy secure, but at the expense of everyone else's.
I don't get into these conversations much, but if I do perhaps I should try out the response: "I don't have anything to hide either, but I know a lot of my fellow citizens value their privacy. So I'm willing to advocate for it even though I know it will lead to more scrutiny on myself. Anyone who's afraid of that extra scrutiny is suspect! What are you really hiding!?"
There are enough real-life examples, like the Equifax debacle or that "dating" site where multiple people committed suicide when their online identities got leaked.
The only way to guarantee personal data cannot be abused by anyone, authority or not, is when those data don't exist at all. We know that governments are too incompetent to follow best practices in security, we know that this kind of power gets abused with barely any limits because there's no accountability(e.g. when a prominent German singer did a concert police officers made 83 lookups of her data in the police database just in that single night. Nothing ever came out of it even though the police had to admit those numbers aren't possible without abuse).